-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify properties of the Secret as part of Database instance - Description, ExcludeCharacters #4144
Comments
You can do this as a workaround: const dbSecret = appDbInstance.node.tryFindChild('Secret') as rds.DatabaseSecret;
const cfnSecret = dbSecret.node.defaultChild as secretsmanager.CfnSecret;
cfnSecret.addPropertyOverride('GenerateSecretString.ExcludeCharacters', '"@/\\;'); which will target the |
Thanks for submitting this request! It seems like a reasonable feature, however it may take some time to address since it is a fairly specific use-case (if other community members disagree, please leave a comment here!). If you want to see it implemented faster, the best way may be to submit a PR, and we will make sure it gets reviewed! |
We are impacted by this. The backtick |
Note that you can workaround this limitation by creating your own Secret and using the |
We also ran into this, since DMS is not compatible with any of |
I tried the following and am still seeing secrets which break DMS when I rotate: const masterSecret = this.cluster.addRotationSingleUser();
new cdk.CfnOutput(this, 'TheMasterSecret', { value: masterSecret.toString() });
// Workaround to avoid DMS breaking passwords
// https://github.com/aws/aws-cdk/issues/4144#issuecomment-533500069
const dbSecret = this.cluster.node.tryFindChild('Secret') as rds.DatabaseSecret;
const cfnSecret = dbSecret.node.defaultChild as secretsmanager.CfnSecret;
cfnSecret.addPropertyOverride('GenerateSecretString.ExcludeCharacters', '"@/\\;+%'); I destroyed and redeployed the entire stack. Then I clicked What do I need to do to ensure DMS compatible secrets? |
I see that aws-samples/aws-secrets-manager-rotation-lambdas#32 now supports configurable |
It looks like while the lambda is updated, the SAM isn't yet: https://console.aws.amazon.com/lambda/home?region=us-east-1#/create/app?applicationId=arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser doesn't have excludedCharacters in the Application settings. I guess next step is finding that code and adding a PR. |
I noticed excludeCharacters now appears in the AWS console within SecretsManagerRDSMySQLRotationSingleUser — version 1.1.60 for region us-east-1 https://console.aws.amazon.com/lambda/home?region=us-east-1#/create/app?applicationId=arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser |
@skinny85 I think the next and last step involves adding some plumbing to the Aurora module. I'll take a stab at it tomorrow. |
…eSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set " %+~`#$&*()|[]{}:;<>?!'/@\"\\", as the previous set ('"@/\\') had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes aws#4144 BREAKING CHANGE: the default excludeCharacters set for Instance, Cluster and DatabaseSecret is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: the default excludeCharacters for addSingleUserRotation and addMultiUserRotation is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: Instance.addSingleUserRotation now takes options as the first argument, instead of just Duration * **rds**: Cluster.addSingleUserRotation now takes options as the first argument, instead of just Duration
…eSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set " %+~`#$&*()|[]{}:;<>?!'/@\"\\", as the previous set ('"@/\\') had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes aws#4144 BREAKING CHANGE: the default excludeCharacters set for Instance, Cluster and DatabaseSecret is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: the default excludeCharacters for addSingleUserRotation and addMultiUserRotation is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: Instance.addSingleUserRotation now takes options as the first argument, instead of just Duration * **rds**: Cluster.addSingleUserRotation now takes options as the first argument, instead of just Duration
…eSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set " %+~`#$&*()|[]{}:;<>?!'/@\"\\", as the previous set ('"@/\\') had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes aws#4144 BREAKING CHANGE: the default excludeCharacters set for Instance, Cluster and DatabaseSecret is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: the default excludeCharacters for addSingleUserRotation and addMultiUserRotation is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: Instance.addSingleUserRotation now takes options as the first argument, instead of just Duration * **rds**: Cluster.addSingleUserRotation now takes options as the first argument, instead of just Duration
…eSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set " %+~`#$&*()|[]{}:;<>?!'/@\"\\", as the previous set ('"@/\\') had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes aws#4144 BREAKING CHANGE: the default excludeCharacters set for Instance, Cluster and DatabaseSecret is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: the default excludeCharacters for addSingleUserRotation and addMultiUserRotation is now " %+~`#$&*()|[]{}:;<>?!'/@\"\\" * **rds**: Instance.addSingleUserRotation now takes options as the first argument, instead of just Duration * **rds**: Cluster.addSingleUserRotation now takes options as the first argument, instead of just Duration
…words for Cluster, Instance, DatabaseSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"``, as the previous set (`'"@/\\'`) had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes #4144 BREAKING CHANGE: the default generated password exclude characters set for Instance, Cluster and `DatabaseSecret` is now ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"`` * **rds**: the default generated password exclude characters for `addSingleUserRotation()` and `addMultiUserRotation()` in Cluster and Instance is now ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"`` * **rds**: `Instance.addSingleUserRotation()` now takes options object as the first argument, instead of just `Duration` * **rds**: `Cluster.addSingleUserRotation()` now takes options object as the first argument, instead of just `Duration` * **rds**: `SnapshotCredentials.fromGeneratedPassword()` now takes an option object as the second argument, instead of just `IKey` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@skinny85 anything to do to migrate existing |
When doing
new rds.DatabaseInstance(this, 'AppDb', { ... })
, a secret is automatically generated with the database's connection info. This is super useful, but not quite sufficient for my use case. I'd like to be able to specify the secret properties when creating the RDS instance.Use Case
I need to specify some other characters to exclude from the generated password (specifically
;
, since I'll be assembling a semicolon-delimited connection string likeHost=abc.com;Port=5432;Username=admin;Password=p@ssw0rd;
).Proposed Solution
Add a
secretProperties
property to the RDSDatabaseInstanceProps
that mixes in any specified options with the defaults when creating the DB secret, e.g.:Other
I would override this manually, but trying this only adds a property to the
SecretTargetAttachment
not the Secret itself:This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: